What Happens During a Physical Security Assessment?

Many business owners and property managers believe they have a sense of their security posture simply because they have cameras, locks, and perhaps a security guard. In reality, the gap between "we have security measures" and "our security measures actually work" can be enormous -- and a professional physical security assessment is the only reliable way to find out where that gap exists. Understanding the process before you engage an assessment team helps you get the most value from the engagement and understand what the findings mean.

The Difference Between a Security Survey and a True Assessment

These two terms are often used interchangeably, but they describe fundamentally different levels of service. A security survey is primarily observational: an assessor walks the property, notes what security measures are present, and lists them. It is a snapshot inventory. A security assessment goes significantly deeper -- it evaluates whether the measures present are adequate, whether they are functioning as intended, whether they cover all relevant threat scenarios, and whether the gaps between them could be exploited.

ASIS International's published standards and guidelines for physical security establish a framework for true assessment methodology, including threat and vulnerability analysis, criticality ratings, and risk-ranked recommendation development. A survey tells you what you have. An assessment tells you whether what you have is enough -- and what to do about it when it isn't.

Phase 1: Pre-Assessment Intake

A professional assessment begins before the assessor sets foot on the property. During the intake phase, the investigator or security consultant gathers essential background information:

• Property type, size, and layout (floor plans or site maps if available)
• Business type, operating hours, and staffing patterns
• Known security concerns or prior incidents
• Existing security documentation (security policies, access control records, incident logs)
• Assets requiring protection (inventory, cash handling, sensitive data, high-value equipment, personnel)
• Relevant threat history for the area (crime statistics, prior incidents at neighboring properties)

This intake allows the assessor to develop a threat model specific to the property before arriving -- understanding what a burglar, a disgruntled employee, a violent intruder, or a sophisticated criminal enterprise would target and how they would likely approach the attempt. Without this context, an on-site walkthrough produces only generic observations.

Phase 2: On-Site Walkthrough and Perimeter Evaluation

The on-site phase begins from the outside in. Assessors evaluate the entire exterior perimeter before entering the building or property, examining:

• Perimeter barriers: Fencing, walls, landscaping features, natural barriers, and vehicle barriers. Are they present where needed? Are there gaps? Can they be defeated easily?
• Lighting: Exterior lighting coverage at all hours. Dark zones along building faces, parking areas, loading docks, and pathways are exploitation vectors.
• Signage and deterrence: Warning signage, visible camera presence, and other deterrents that reduce opportunistic crime.
• Vehicle access and parking: Is it possible to park close to the building in a way that enables a ram-raid attack or provides concealment for surveillance? Are delivery areas controlled?
• Entry and exit points: Every door, gate, loading dock, roof hatch, utility access point, and window that could serve as an entry is documented and evaluated.

Phase 3: Access Control Review

Access control is frequently where the largest gaps exist. Many organizations have installed card readers or key-fob systems but have never audited who has active credentials, whether terminated employees' access has been removed, or whether the system logs are being reviewed.

The assessor evaluates:

• How access credentials are issued, tracked, and revoked
• Whether access is appropriately tiered (not every employee should have access to every area)
• Whether tailgating and piggybacking (following an authorized person through a controlled door) are practically preventable
• Whether physical keys supplement or undermine electronic access control
• The quality and currency of the access control system hardware and software
• Whether visitor access is properly controlled and logged

Phase 4: CCTV Gap Analysis

Video surveillance systems are only as valuable as their coverage, image quality, and retention configuration. Many businesses discover during an assessment that their camera system has significant blind spots -- and often the blind spots are not random, but occur precisely in the areas where an opportunistic intruder or dishonest employee would operate.

The CCTV analysis documents every camera's field of view, evaluates image resolution and night-vision capability, tests whether the system produces footage of sufficient quality to support law enforcement identification or legal proceedings, reviews the recording and retention configuration, and identifies areas of the property not covered by any camera.

The Department of Homeland Security's CISA physical security resources emphasize that video surveillance is most effective as part of a layered security approach -- detection, delay, and response working together -- rather than as a standalone control. An assessment evaluates how well your CCTV integrates with your other controls.

Phase 5: Staff and Procedure Observations

Human factors are often the weakest link in physical security. Even excellent hardware and infrastructure can be defeated by poor procedures or undertrained staff. During this phase, assessors observe (without disrupting operations) how staff actually behave in practice -- as distinct from how policies say they should behave.

Common findings include: doors propped open for convenience, visitors escorted through access control points without being properly logged, alarm codes shared verbally, key storage practices that undermine key control, and staff who have not been briefed on active threat response procedures.

Assessors may also attempt controlled social engineering tests -- for example, attempting to enter a restricted area by claiming a plausible pretext -- to evaluate staff response in a low-stakes environment. These tests reveal training gaps that cannot be identified through document review alone.

Phase 6: Written Findings Report with Prioritized Recommendations

A professional assessment produces a written report -- not a verbal debrief. The report documents every finding with its location, the nature of the vulnerability or gap, the threat scenario it enables, and a prioritized recommendation for remediation.

Recommendations are typically tiered by urgency: immediate action items (critical gaps that could be exploited today), near-term improvements (significant gaps addressable within 30-90 days), and long-term strategic recommendations (capital investments or policy changes that address structural vulnerabilities). This tiering allows decision-makers to allocate resources effectively rather than facing an undifferentiated list of improvements.

The Florida Department of Law Enforcement (FDLE) and local law enforcement agencies in Southwest Florida recognize the value of professional security assessments in reducing commercial and residential crime. In some cases, insurance carriers offer reduced premiums for properties that have undergone documented professional security assessments and implemented their recommendations.

Who Benefits from a Physical Security Assessment?

Physical security assessments are valuable for a wide range of clients:

• Commercial businesses concerned about theft, employee safety, or after-hours intrusion
• Healthcare facilities with controlled substance storage, patient data, or workplace violence concerns
• Residential properties for high-net-worth individuals or families with security concerns
• Property managers evaluating security at multi-tenant commercial or residential properties
• Attorneys advising clients in premises liability cases who need an independent security expert evaluation
• Business owners after a security incident who want to understand how it happened and prevent recurrence

Red Eye Investigations conducts physical security assessments across Southwest Florida, delivering findings in clear, actionable written reports. Our team combines law enforcement experience with professional investigative methodology to identify vulnerabilities that are not apparent in a casual review -- and to give you a defensible, prioritized path to improvement.